Ankura CTIX FLASH Update – February 10, 2026

Malware Activity

Large-Scale Cloud Attacks and Stealthy Espionage Tools

Recent cybersecurity reports reveal two significant threats. First, a broad cyberattack campaign targeting popular cloud platforms like AWS and Azure has been active since late 2025. The attacker group, TeamPCP, exploits common misconfigurations in cloud tools such as Docker and Kubernetes to infiltrate servers. Their goal is to create an automated, scalable system for stealing data, deploying ransomware, mining cryptocurrencies, and maintaining control over compromised systems. They use familiar hacking techniques, installing backdoors and malware to expand their reach and sell stolen information, forming a dangerous, self-sustaining criminal network. Separately, researchers have uncovered a sophisticated espionage tool called DKnife, attributed to Chinese-linked groups by Cisco Talos since 2019. DKnife operates on Linux devices and stealthily monitors and hijacks network traffic across various devices, including smartphones and IoT gadgets. It can steal login credentials, deliver malware, and intercept app updates, all while remaining hidden. CTIX analysts will continue to report on the latest malware strains and attack methodologies.

• TheHackerNews: TeamPCP Worm Exploits Cloud Infrastructure to Build Criminal Infrastructure article
• BleepingComputer: DKnife Linux Toolkit Hijacks Router Traffic To Spy, Deliver Malware article
• TheHackerNews: China-Linked DKnife AitM Framework Targets Routers for Traffic Hijacking, Malware Delivery article
• SecurityWeek: Malware & Threats‘DKnife’ Implant Used by Chinese Linked Threat Actor for Adversary-in-the-Middle Attacks article
• InfoSecurityMagazine: Chinese-Linked Malware Kit Targets Chinese-Based Routers and Edge Devices article

---

Threat Actor Activity

German Intel Agencies Warn of Phishing Attack on High-Ranking Officials via Signal Messaging App

Germany’s domestic intelligence agency has issued a warning about phishing attacks by suspected state-sponsored actors targeting high-ranking individuals via messaging apps like Signal. The security advisory is based on intelligence collected by the Federal Office for the Protection of the Constitution (BfV) and the Federal Office for Information Security (BSI). These attackers use social engineering, often posing as service support agents, to steal data from politicians, military officers, diplomats, and journalists across Europe, without exploiting technical vulnerabilities or using malware. Two (2) attack variants are noted: one (1) involves a full account takeover by tricking targets into sharing their Signal PIN or SMS verification code, allowing attackers to hijack the account. The other uses a QR code to pair the victim’s account with the attacker’s device, enabling chat monitoring. The attacks, observed on Signal and potentially applicable to WhatsApp, involve tactics previously used by Russian groups like Sandworm. CTIX Analysts recommend that users avoid responding to suspicious support messages, block and report such accounts, and enable Signal’s ‘Registration Lock’ for added security. Regularly checking linked devices and removing unfamiliar ones is also recommended to prevent unauthorized access.

• Bleeping Computer: Signal Article
• German BfV and BSI: Phihisng via Messenger Services Joint Security Advisory

---

Vulnerabilities

Critical BeyondTrust RS/PRA Flaw Exposes Thousands of Systems to Pre-Auth Remote Code Execution

The cybersecurity company BeyondTrust has disclosed and patched a critical pre-authentication remote code execution (RCE) vulnerability affecting its Remote Support and Privileged Remote Access products. The flaw, tracked as

(CVSS 9.9/10), stems from an operating system command injection weakness that allows unauthenticated attackers to execute arbitrary system commands without user interaction, potentially resulting in full system compromise, data exfiltration, and service disruption. The issue impacts Remote Support versions 25.3.1 and earlier and Privileged Remote Access versions 24.3.4 and earlier and has been fixed in Remote Support 25.3.2 (Patch BT26-02-RS) and Privileged Remote Access 25.1.1 (Patch BT26-02-PRA), with BeyondTrust confirming that all cloud-hosted environments were secured by February 2, 2026. However, the company is urging self-hosted customers to manually apply patches or upgrade if automatic updates are not enabled, as research indicates roughly 11,000 internet-exposed instances exist, including approximately 8,500 on-prem deployments that remain vulnerable if unpatched. While there is currently no evidence of active exploitation, the advisory carries heightened urgency given BeyondTrust’s history of RS/PRA vulnerabilities being leveraged in zero-day attacks, reinforcing the need for immediate remediation across affected environments. CTIX analysts urge any administrators responsible for self-hosting to ensure that they have automatic updates enabled.

• Bleeping Computer:
  CVE-2026-1731
  Article
• The Hacker News:
  CVE-2026-1731
  Article

📧 Never Miss a Briefing

Stay informed and secure. Subscribe to Ankura’s Cyber Flash Update, a bi-weekly briefing curated by our top cybersecurity experts. Receive timely insights on emerging threats, vulnerabilities and malicious actors to keep your systems secure. 

Join the Cyber Flash Update community today.

^{© Copyright 2026. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.}